BYOD Demands New Approach To IT Security Rules

Grant Taylor of Cryptzone provides his views on Bring-Your-Own-Device (BYOD) and the implications on corporate security rules and policies

Employees have differing views when it comes to what they like - not every one wants a Volkswagen Golf, and many company car schemes take this into consideration. As a concept it works fantastically – instead of having a pool of company owned cars, employees are given an allowance to offset against their own vehicle. Genius!

A few years ago organisations extended this practice into other areas of the business – for example, an allowance to fund purchasing a laptop. The theory was that, if the employee gets ownership of the device after three years, they’re more likely to ‘look after’ it. Consumerisation of IT, or Bring your Own Device (BYOD) as its becoming more commonly known, as a concept was born and with it a can of worms was not only opened, but flung all over the place.

The problem is …

Initially, while a genius idea, the issue of integrating different operating systems was just the tip of the problem iceberg – changing functionality, applications and connectivity all had to be addressed and standardised. Then came the discussion about what could, and couldn’t be done with them. Initially email was the essential must have, which quickly moved on to the ability to access corporate information. Suddenly security became the elephant in the room.

It wasn’t too long before organisations started to suffer breaches, and public humiliation, as these mobile missiles haemorrhaged sensitive corporate information. Some were lost, some were stolen and a few were sold legitimately on public auction sites! For the technology team, enabling their use was no longer the issue but securing the data they carried.

Move on a few years and today the situation we find ourselves is not dissimilar. On one side employees want to utilise technology that fits with their lifestyle - although now they’re happy to fund it themselves. In the ‘other corner’, the technology team are tasked with sanctioning their use, but need to do so securely.

Saying no is simply not an option – for either side.

Barriers – Up or Down?

The main issue is that, for the majority of organisations, the technology team had barely got to grips with laptops when smartphones started storming the organisation’s enterprise. Without time to properly draw breath, the iPad came along and joined the offensive. Unfortunately the formula of affordable price tag, with superb functionality, makes these new business tools too valuable to blank block. In far too many cases IT is having to play catch up with some teams in danger of losing the game.

Rather than always trying to pre-empt the next advance, technology teams need to find ways to secure the defences now that future proofs the organisation for tomorrow’s world.

Stand Firm and Secure

If we look at the basic problem, in both private and public sector organisations, people are able to consume information on their devices in their personal lives and found it to be beneficial. They simply want the same flexibility in their business lives and this means the ability to consume corporate information on the same devices.

The challenge for the technology team is to put controls in place that allows people to do that securely so that the data that they access is secure.

Well it’s simple then, isn’t it?

Actually it hasn’t been until now. However, Cryptzone has come up with the best solution that covers most permutations – different devices, different operating systems in different scenarios (i.e. laptop at home, iPad on public transport, smartphone in Wi-Fi café, etc.)

A Holistic View

Organisations could take a conjoined approach to their access strategy that enables granular access to people in a safe and secure fashion.

One method is to provision users on a role base, location base and on device based access. This method means each request is permitted or declined dependant on the user, their device, its location and what information is being accessed.

For many organisations that’s easier said than done. However there are solutions on the market which deliver such granularity without introducing significant administrative and support overhead.

Additionally, another option would be to introduce Access on Demand. A relatively new twist, on a tried and tested concept, information is stored in a secure central location – not dissimilar to a public library. However, rather than being able to walk in and browse, users are sent a secure link that takes them to the exact location – be it file, page or record, the information is stored. At this point they can read, edit, or do anything else that they need to do but without the information leaving the central repository. To further strengthen this option, access could be secured with authentication – for example a passcode sent to a device registered to the user that has to be entered before the file can be opened.

With this approach the user gets the flexible agile work experience they’re so hungry for, regardless of the device they’re using and for the organisation its information never leaves its control as it is not transferred to the end users device.

For those organisations looking to introduce secure collaboration, especially with a third party, this approach means organisations can provision external agencies safely and securely, and quickly, offering even greater flexibility.

As a popular advertisement would say, ‘Simples!

At the end of the day, it is data that is king and must be protected at all costs. Rather than trying to secure every device known to man, and those that are being dreamt of, organisations can provision security that fits in today’s mobile and agile world.